CN105874462B - Using the notice of license - Google Patents

Using the notice of license Download PDF

Info

Publication number
CN105874462B
CN105874462B CN201480071883.3A CN201480071883A CN105874462B CN 105874462 B CN105874462 B CN 105874462B CN 201480071883 A CN201480071883 A CN 201480071883A CN 105874462 B CN105874462 B CN 105874462B
Authority
CN
China
Prior art keywords
api
api calls
application
instruction
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201480071883.3A
Other languages
Chinese (zh)
Other versions
CN105874462A (en
Inventor
亚历克斯·尼科拉乌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Google LLC
Original Assignee
Google LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Google LLC filed Critical Google LLC
Publication of CN105874462A publication Critical patent/CN105874462A/en
Application granted granted Critical
Publication of CN105874462B publication Critical patent/CN105874462B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Abstract

It provides for authorizing using license and providing method, system and the computer-readable medium of API activity notification.Exemplary method may include receiving the first API Calls made by the application installed.This method may further comprise determining received first API Calls level of sensitivity.This method can further comprise when received first API Calls identified level of sensitivity it is associated with limited API category when, determine whether the author of installed application is authorized author, and when the author for determining installed application is authorized author, allow received first API Calls access its associated AP I.Exemplary system may include instruction, described instruction by one or more processors when being executed, so that the API Calls that one or more processors detection is made by application, the level of sensitivity of API Calls is determined based on associated data, and the instruction of API Calls is provided based on identified level of sensitivity, the API Calls are for accessing data associated with equipment is calculated.

Description

Using the notice of license
Background technique
Security model for application, which is usually directed to, shows some species of dialogue to user when installing application.User can To be provided the chance looked back various access permissions and receive them.Such user receive after, installed application one As there is access to the set of Application Programming Interface (API) on the basis of forward.The application installed has the visit to it The certain API asked may be with the sensitive data of user or information-related.
Summary of the invention
The present disclosure relates generally to application license and data safeties, and relate more specifically to and authorize using license and mention For the related technology of API activity notification.
Disclosed subject technology is related to computer implemented method, and the method is permitted for authorizing to apply during installation Can, the authorization of the author based on application allows API Calls, and provides the movable notice of API.It should be appreciated that subject technology Various embodiments may include following characteristics any one, all or do not include.Exemplary method may include that processing installation is answered Request, it is required that the application can access one or more application programming interface (API).This method may further comprise determining The level of sensitivity for each API in API that one or more requires.In addition, this method may include when one or more of It is required that API at least one API identified level of sensitivity it is associated with limited API category when, it is desirable that using peace The code of full mechanism delivery applications.
The method that another exemplary computer is realized may include receiving the first application programming made by the application installed Interface (API) calling.This method may further comprise determining received first API Calls level of sensitivity.This method can Further comprise when received first API Calls identified level of sensitivity it is associated with limited API category when, determine Whether the author for the application installed is authorized author.In addition, this method may include when the work for determining installed application When person is authorized author, allow received first API Calls access its associated AP I.
The method that another exemplary computer is realized may include the request of processing installation application, it is required that being made by the application One or more application programming interface (API) calling.This method may further comprise determining the creation entity of the application.The party Method may further comprise determining whether the creation entity is authenticated by one or more trusted entities.In addition, this method may include working as When the creation entity is authenticated by least one trusted entities in one or more trusted entities, allow the installation of the application.
The method that another exemplary computer is realized may include detecting the API Calls made by application, which is used for Access data associated with equipment is calculated.This method can further comprise that the spirit of API Calls is determined based on associated data Sensitivity is horizontal.In addition, this method may include providing the instruction of API Calls based on identified level of sensitivity.
Authorization of the disclosed theme further to the author during installation for authorizing application license, based on application Allow API Calls and the system of the movable notice of API is provided.Example system may include one and multiple processors and packet Include the memory of instruction, described instruction when executed by one or more processors so that one or more processors are grasped Make.The one or more processors of system can be configured to the request of processing installation application, it is required that the application can access one Or multiple Application Programming Interface (API).The one or more processors of system can be further configured to determine one or more It is required that API in each API level of sensitivity.In addition, the one or more processors of system can be configured to when described When the identified level of sensitivity at least one API in API that one or more requires is associated with limited API category, It is required that using the code of security mechanism delivery applications.
Another example system may include one or more processors, is configured as receiving and be made by the application installed First Application Programming Interface (API) calling.The one or more processors of system can be further configured to determine that institute is received The level of sensitivity of first API Calls.The one or more processors of system can be further configured to work as institute received first When the identified level of sensitivity of API Calls is associated with limited API category, determine installed application author whether be Authorized author.Determine that the author of installed application is in addition, the one or more processors of system can be configured to work as When authorized author, allow received first API Calls access its associated AP I.
Another example system may include one or more processors, be configured as the request of processing installation application, It is required that one or more application programming interface (API) calling that the application is made.Can by the one or more processors of system into One step is configured to determine the creation entity of the application.The one or more processors of system can be further configured to determine the wound Make whether entity is authenticated by one or more trusted entities.It is somebody's turn to do in addition, the one or more processors of system can be configured to work as When creating at least one trusted entities certification of the entity by one or more trusted entities, allow the installation of the application.
Another example system may include one or more processors, be configured as detecting the API Calls made by application, The API Calls are for accessing data associated with equipment is calculated.The one or more processors of system can further be configured For the level of sensitivity for determining API Calls based on associated data.In addition, the one or more processors of system can be configured To provide the instruction of API Calls based on identified level of sensitivity.
Disclosed theme further relates to example machine readable medium, including storage instruction therein, executes by system When, instruction is so that system is operated, and for being authorized during installation using license, the authorization of the author based on application allows API Calls, and the movable notice of API is provided.Example machine readable medium may include the request for handling installation application Instruction, it is required that the application can access one or more application programming interface (API).Machine readable media can further comprise using In the instruction of the level of sensitivity for each API for determining one or more desired API.In addition, machine readable media may include When the identified level of sensitivity of at least one API of the API of one or more of requirements is associated with limited API category When, it is desirable that the instruction of the code of the application is delivered using security mechanism.
Another example machine readable medium may include for receiving the first application programming made by the application installed The instruction of interface (API) calling.Machine readable media may include for determine received first API Calls level of sensitivity Instruction.Machine readable media may include when institute's identified level of sensitivity of received first API Calls and limited API class Not Xiang Guanlian when, for determine installed application author whether be authorized author instruction.In addition, machine readable Jie Matter may include allowing received first API Calls of institute to access when the author for determining installed application is authorized author The instruction of its associated AP I.
Another example machine readable medium may include the instruction for handling the request of installation application, it is required that the application One or more application programming interface (API) calling made.Machine readable media may include for determining that the creation of application is real The instruction of body.Machine readable media may include the finger whether authenticated by one or more trusted entities for determining the creation entity It enables.In addition, machine readable media may include for when the creation entity by least one of one or more trusted entities by When believing entity authentication, allow the instruction of the installation of the application.
Another example machine readable medium may include the instruction for detecting the API Calls made by application, which exhales It cries for accessing data associated with equipment is calculated.Machine readable media may include for being determined based on associated data The instruction of the level of sensitivity of API Calls.In addition, machine readable media may include for being mentioned based on identified level of sensitivity For the instruction of the instruction of API Calls.
It should be appreciated that (wherein showing and describing the various of subject technology by way of diagram according to described in detail below Configuration), the other configurations of subject technology will become obvious.It should be appreciated that subject technology can using other configurations and Difference configuration, and its several details can be modified in various other aspects, all without departing from the range of subject technology.Cause This, attached drawing and detailed description should be considered as illustrative and not restrictive in itself.
Detailed description of the invention
Certain features of subject technology are provided in appended claims.But for illustrative purposes, it provides in the accompanying drawings Several embodiments of subject technology.
Fig. 1, which is illustrated, provides exemplary client-server network ring of application license according to the various aspects of subject technology Border.
Fig. 2 illustrates the various aspects according to subject technology, for authorizing using the writer identity trust techniques permitted Example.
Fig. 3 A and Fig. 3 B illustrate the example that notification technique is used according to the API of the various aspects of subject technology.
Fig. 4 illustrates the various aspects according to subject technology, the process of the application for installation requirement one or more API Example.
Fig. 5 illustrates the various aspects according to subject technology, for limiting the API Calls made by the application installed The example of process.
Fig. 6 illustrates the various aspects according to subject technology, with asking for the application of installation requirement one or more API Calls Seek the example of related process.
Fig. 7 conceptually illustrates the electronic system that some aspects of subject technology are realized using it.
Specific embodiment
Detailed description given below is intended as the description of the various configurations of subject technology, it is not intended that expression can be real Unique configuration of existing subject technology.Attached drawing is incorporated in herein and constitutes a part of detailed description.Detailed description includes using In offer to the detail of the thorough understanding of subject technology.It is clear that and it is readily apparent that subject technology is not limited to this Detail given in the test can be practiced without these specific details.In some instances, according to The form of block diagram shows structure and component, in order to avoid obscure the concept of subject technology.
According to the various aspects of subject technology, disclosure description is movable for managing application license and instruction API Calls Technology.For example, the application license that they agree to when many users are for downloading and installing application has relatively low cognition.Together Sample, user is for these application licenses and since any problem caused by installed almost is ignored, for example, especially When being widely applied to device downloads.
Therefore, in some examples, it is described herein during installation and is used to authorize and manage during the use of application For the technology of the application license of application.These technologies can be utilized separately for improving the safety of user information and for visiting The cognition asking what information and being accessed by whom.However, it is possible to the technology is applied in combination, to provide using License Management scheme and Message reference visibility.
In some instances, mobile device can receive installation requirement access one or more API application request (or Person sends the request of downloading).The level of sensitivity that can be determined and apply associated API, and work as the sensitivity of API Calls When level is confirmed as having sensitive or limited property, the security mechanism of identification author is can be used to require in mobile device The code of the application of delivering.
For example, the delivering using security socket layer (SSL) agreement and SSL certificate can be required.It can be by ssl protocol technology As enable two systems via the security mechanism of encrypted data communications.Reception system has certification received data true In fact from the ability for claiming that its source of delivering is transmitted.
In other examples, such as, when in advance will be using installing on the mobile apparatus, mobile device can be received from application API Calls.Then, mobile device can determine that the received API Calls of institute are that sensitive API Calls are still limited API Calls.If Determine that the received API Calls of institute are sensitive API Calls or limited API Calls, then only when the author for the application installed is through awarding The author of power just can permit the received API Calls of institute.
By determine application installation during certificate associated with the delivering of code whether be trusted entities it is all or by Trusted entities are confirmed can determine whether the author of installed application is authorized author.According to various examples and reality Mode is applied, trusted entities can be corporate entity or personal user.
For example, can further be used when the request of the application of equipment processing installation requirement one or more API Calls Authorize the trusted entities approach using license.For example, for example, the user of equipment may want to starting from remote server to application Downloading, but not necessarily know that the author of application is the authority of who or author.Hence, it can be determined that the creation of application is real Body, and if having authenticated creation entity by one or more trusted entities, it is one or more that equipment can permit requirement The downloading and installation of the application of API Calls.
In this regard, the approval to API license is not made on the basis of applying one by one, but according to subject technology The user of equipment can indicate the trust to trusted entities.Therefore, each entity in multiple trusted entities may be used to indicate by License provides a user multiple authors of application.
In other examples, it can provide about called API Calls, to the user of equipment for offer instruction and in detail The technology carefully notified.For example, equipment can provide a user API Calls or other information access request in the real-time finger of generation Show.In this example, when applications trigger user is undesirable sensitive or limited API Calls, the user of equipment can run application (such as, car race game).For example, car race game application can call the access with the financial data of the user stored in equipment Associated API Calls.
In response to sensitive or limited API Calls, equipment can provide the just incipient instruction of sensitive or limited API Calls. For example, equipment can be activated positioned at the API Access indicator lamp in somewhere on telephone casing or on the display screen of equipment API Access indicator icon.For example, indicator lamp and/or indicator icon can be based on sensitivity associated with API Calls Level illuminates, flashes, flashes or beats different colors (for example, red, yellow or green) with the different duration.
In another example, API Access log can be provided as notice log visible on the display screen of equipment.? In some embodiments, API Access log can be dedicated to only provide API Access notice.For example, API Access log can wrap The entry of the related information of the API Access event having already appeared in offer and equipment is provided, such as Apply Names, level of sensitivity, Details, time etc..In some embodiments, it can be opened from the API Access indicator icon on the display screen for being located at equipment Dynamic API Access log.
For this purpose, can be visited together with notice details CommAPI related with the level of sensitivity of API Calls detected The real-time instruction asked enables easily that sensitive or limited API and equipment is current according to the user of the equipment of subject technology The application of execution is associated.
It is described in further detail below according to the living using permitting and providing API for authorizing of subject technology various aspects The system and technology of dynamic notice.
Fig. 1 illustrates the example visitor that can be supported using permitting and can be used for realizing the various technologies for being granted or denied license Family end-server network environment.Network environment 100 may include such as communicably being connected to server 110 by network 108 Multiple electronic equipments 102,103,104,106, one or more servers 110 and network 108.In other examples, electric Sub- equipment 102,103,104,106 is such as communicably connected with each other by network 108, but right and wrong are communicably connected to one A or multiple servers 110.
In the example of fig. 1, one or more servers 110 can with trustship one or more system or service, including but It is not limited to the system for being used to download and install based on application licensed technology.In some examples, in one or more servers 110 Each server can be and single calculate equipment, such as computer server.In other examples, one or more servers 110, which can indicate to work together, calculates equipment (for example, the cloud of computer with more than one of the movement of execute server computer Or distributed system).In another example, each server in one or more servers 110 can by with various numbers It is coupled according to library, storage service or other calculating equipment.Each server in one or more servers 110 with coupled Database, storage service or other calculate equipment can be aggregated, can also be bandwidth or put differently.
For example, each server in one or more servers 110 may include one or more processing equipments 112 and One or more data storages 114.One or more processing equipments 112 can execute institute in one or more data storages 114 The instruction of storage.Computer instruction can be stored in non-transitory computer-readable medium by one or more data storages 114.
Network 108 can be public communication network, dedicated communications network or their combination.In some examples, net Network 108 may include personal area network (PAN), local area network (LAN), school domain net (CAN), Metropolitan Area Network (MAN) (MAN), wide area network (WAN), broadband networks Any one or more of network (BBN), internet etc..Further, network 108 may include but be not limited to following network topology Any one or more: including bus network, star network, loop network, mesh network, star-bus network, it is tree-like or Hierarchical network etc..
Network 108 can be public communication network (including but not limited to internet, cellular data network, cable data network Network or dialing modem by Public Switched Telephone Network) or dedicated communications network (such as, for example, dedicated local-area Net (" LAN ") or leased line network).Network 108 any one of may also include but be not limited to following network topology or more It is a: including bus network, star network, loop network, mesh network, star-bus network, tree-like or hierarchical network etc..
In some embodiments, electronic equipment 102,103,104 and 106 can be on such as laptop computer or table Type computer, smart phone, personal digital assistant (" PDA "), portable media player, tablet computer, TV, Huo Zheyou One or more processors are coupled or the calculating equipment of other displays being embedded or other calculating appropriate are set It is standby.In the example of fig. 1, electronic equipment 102 is portrayed as desktop PC, electronic equipment 103,104 is portrayed as intelligence Phone, and electronic equipment 106 is portrayed as tablet device.
Using various File Sharing Techniques and Data Transport Protocol (such as, but not limited to hypertext transfer protocol (HTTP), Extend message Presence Protoco (XMPP), File Transfer Protocol (FTP), safety shield (SSH), Server Message Block (SMB) etc.) it can To promote the communication between electronic equipment 102,103,104,106 and server 110.In other examples, not with server In the case where 110 communications, electronic equipment 102,103,104,106 can be in communication with each other.
In the example of fig. 1, each electronic equipment 102,103,104,106 can in response to installation application request, From another downloading application in server 110 or electronic equipment 102,103,104,106.Can from network 108 (or with Its connect) another equipment receive to installation application request, can also by will install application electronic equipment 102, 103,104,106 are started.
In operation, server 110 can provide and handle the operation for trustship website, and website can will apply and be delivered to Electronic equipment 102,103,104,106.It is applied to be downloaded from the website of trustship, electronic equipment 102,103,104,106 can be with Respectively establish the communication with server 110.
It is mounted on electronic equipment 104 for example it is assumed that will apply, and application request carries out sensitive or limited API Calls (for example, position that application request obtains user), then the licensing system of electronic equipment 104 requires to determine whether using acquisition The mode of the position of user.In order to determine whether sensitive as application access or limited information, licensing system will be sensitive The permission (or refusal) of API Calls is established on the basis of writer identity ownership, for example, the author of application or creation entity.
According to various aspects, the author of application or creation entity can be the individual or reality that development and application or distribution are applied Body.In some instances, author or creation entity can be both developer and distribution person of application.In other instances, it answers Author or creation entity can be to provide the distribution of application or promote the entity of the distribution of application.
In some examples, writer identity ownership is whether the author based on application has SSL certificate, the SSL certificate The binary code for having been used for apply is delivered to electronic equipment 104.It is, for example, possible to use ssl protocol technologies to realize Two systems are via encrypted data communications.Reception system (such as licensing system of electronic equipment 104) has certification institute received Data are really from the ability for claiming that its source of delivering is transmitted.
For example, can use similar skill when the equipment of user attempts from remote server retrieval network Email Art.If the equipment of user is connected to the network of non-internet connection (for example, the wireless network in the hotel of limitation internet access Network), the web browser of the equipment of user can provide instruction, and the website for indicating user's trial connection is unlike holding Recognize the website (for example, the business of user is intercepted by hotel service device, because user not yet pays accessing wirelessly) of communication.
According in some terms, can be by such security mechanism and similar variation and embodiment (for example, verifying SSL Certificate) for confirming through application code performed by electronic equipment 104 from the server for being identified as application code source. If the code delivered is not by certificate correct labeling and if certificate itself is not trusted (for example, there are no quilts for certificate Some other third parties that user is trusted are confirmed), sensitive or limited API Calls are carried out then would not allow for applying.With regard to this For, if a user indicate that he or she trusted from source (for example, web services supplier or ISP) institute received source generation The licensing system of code, electronic equipment 104 will allow application access sensitive based on the identity of the authorized entity of delivering code Or limited API Calls.
As a result, electronic equipment 104 1 receives and applies associated code, the licensing system of electronic equipment 104 Need not undergo user-approved he or she trust the additional step of the specific application in the case where allow installed application immediately Access sensitive or limited API.Therefore, the user of electronic equipment 104 can trust the source of application and need not trust each independence Using.
It further describes below with reference to Fig. 2 to Fig. 6 and with continued reference to Fig. 1 for the various technologies using license to be laminated.
Fig. 2 illustrates the example of the trust techniques for authorizing license.It can be used for using 262a-c, 264a-c and 266 Installation in mobile device 204.In some instances, using each application in 262a-c, 264a-c and 266 by different wounds Make entity creation.Mobile device 204 is operable as trusting different entities (for example, trusted entities), therefore can be by trusted entities The application of creation entity creation trust or certification is directly downloaded to mobile device 204, without any user interface matter The additional license request of inquiry or server (for example, server 110).
For example, mobile device 204 may include the accredited web services supplier 252 as trusted entities, and for promoting The accredited connection 212 of access and/or downloading application.But mobile device 204 not yet includes the service offer as trusted entities Person 254, and have not accredited connection 214 about ISP 254.
It should be appreciated that for example, ISP 254 can be the accredited supplier for other equipment, and if there is When mobile device 204 select to include ISP 254 as trusted entities, then ISP 254 can be movement The trusted entities of equipment 204.
In addition, can be by creation using 262a-c, 264a-c and 266 each creation entity selection by mobile device 204 And it is appointed as trusted entities.But in the following example, in itself, 262a- is applied in the not yet specified creation of mobile device C, any creation entity of 264a-c and 266.But accredited web services supplier 252 clearly trusts and authenticated Each entity in the creation entity of application 262a-c.For example, mobile device 204 can handle installation requirement access one or The request using 262a of multiple API Calls.Mobile device 204 determines the creation entity for applying 262a, and determines and apply 262a Creation entity authenticated by accredited web services supplier 252.Therefore, mobile device 204 allows to download and installs application, no Any license dialogue for needing to be directed to the user of mobile device 204, regardless of whether being wanted to sensitive or limited API using 262a Seek API Calls.
In addition, mobile device 204, which can be similarly processed to install the request using 262b and install automatically, applies 262b, because Equally trusted and authenticated by accredited web services supplier 252 for application 262b.But if accredited web services supplier The certification of 252 its trusts of revocation and 262b, and if installed via mobile device 204 using 262b, it will be same Any API Calls by making using 262b are cancelled to sample by mobile device 204.For example, accredited web services supplier 252 There can be the equipment dispatch order of accredited connection 212 to it and/or cancel the SSL issued to the creation entity of application 262b Certificate.
In the figure 2 example, ISP 254 clearly trusts and the creation entity of authentication application 264a-c In each entity.But it about downloading and installing automatically application in mobile device 204, is created by 254 Duis of ISP Any trust and the certification for making entity are not important for mobile device 204.But 264a-c is applied in some cases Creation entity trust and certification may have some associations, as described below.
For example, mobile device 204 can handle the asking using 264c that installation requirement accesses one or more API Calls It asks.Mobile device 204 determines the creation entity for applying 264c, and determines and be not moved equipment 204 using the creation entity of 264c Any trusted entities trust or certification.Therefore, mobile at least at the beginning about the automatic downloading (as mounting technique) of trust The refusal of equipment 204 requires the installation using 264c of one or more API Calls.
But in some instances, mobile device 204 can receive to installation using 264c (for example, map and driving side To program) request, identification apply 264c one or more API Calls, and identify authentication application 264c creation entity Multiple entities.Therefore, equipment 204 can provide dialogue in the user interface, indicate one or more API Calls of application And ISP 254 related with the location information of mobile device 204 (such as well known ISP) and 15 other The creation entity of entity (for example, wherein several be considered as high confidence) authentication application 264c.If the user of equipment 204 Agree to allow such license based on information provided in dialogue, so that it may recognizing for confirmation received request is handled, and And it can will be mounted in mobile device 204 using 264c.
In another example, mobile device 204 can receive to installation using 266 (for example, existing using mobile phone The flash lamp program of camera flash) request, identification apply 266 one or more API Calls, and identify authentication application Several entities of 266 creation entity.Therefore, equipment 204 can provide dialogue in the user interface, indicate one of application Or the browser history data that store in multiple API Calls and the access of Email and mobile device 204 are related and 3 The creation entity of a entity (for example, neither for known to the user of mobile device 204) authentication application 264c.Therefore, equipment 204 user not necessarily agrees to allow such license and refuses received request.
Fig. 3 A is the example using API using the mobile device 304 of notification technique.In some examples, mobile device 304 API Calls or the occurent instruction of other information access request can be provided a user.For example, API Calls can be with movement API and accessed data in equipment 304 are associated, or with the API in mobile device 304 and are remotely accessed data It is associated.The user of mobile device 304 can run using 335 (such as playing car race game).It in some instances, can be prior The access permission to application 335 is authorized, and is recognized in some manner by user.(for example, access is hard during the execution of application Disk, with the associated code of the subsequent execution retrieved with applied) it can be desirable to certain API Calls.
But when application 335 run in mobile device 304 when, can by using 335 triggering it is undesirable sensitive or by Limit API Calls.For example, using 335 can call with to the associated API Calls of the access of financial data in mobile device 304. In response to sensitive or limited API Calls, mobile device 304 can provide the just incipient instruction of sensitive or limited API Calls.
For example, can be provided by the hardwired indicator lamp 322 (such as LED, lamp etc.) in mobile device 304 Call the instruction of API Calls.In this regard, such hardwired indicator embodiment is not applied actually by Malware Frame or distort the influence of trial.For example, Malware application, which cannot be covered or be covered, indicates sensitive or limited API on display screen The image of calling.Alternative or additionally, can by the indicator icon 324 on the part of the display screen of mobile device 304 come The instruction for calling API Calls is provided.It related with two indicator lamp embodiments can will control and module is as independent Operating system subsystem include in a device, sensitive or limited API notification technique further is frame in Malware application Trial minimize.
In order to alert user, indicator lamp 322 and/or indicator icon 324 can have mostly clever according to accessed API It is quick, it illuminates, flash, flash or beats according to different colors and duration.For example, data and code will be applied with for it Isolation (for example, sandboxed) is locally stored access and can be shown as green indicator using related.But more sensitively Assessment (such as cookie or other users relevant information between sharing application) can be shown as yellow indicator (for example, For the browsing history based on user, non-present context orientation display user advertising, certain ad systems may execute such Task).For High sensitivity or limited access (for example, the information that height is personal, such as, but not limited to contact name of user List, position, document and Email), indicator lamp 322 and/or indicator icon 324 can be shown as red indicator.
Similarly, for various level of sensitivity associated with the API Calls of calling, by indicator lamp 322 and/or The duration indicated provided by indicator icon 324 can be different.For example, green indicator can be of short duration flashing or Bounce, yellow indicator can be slightly long flashing or bounce (for example, 500 milliseconds), and red indicator can be for a long time It flashes (for example, one second), so that the user of mobile device 304 be promoted to notice when call High sensitivity or limited API Calling.
It has been adjusted with visual manner to the user of mobile device 304 communication it is understood that other technologies can be used With sensitive or limited API Calls.In addition, in some embodiments, the instruction for having called up API Calls may include sound (example Such as, chirp, beeping sound or alarm song) or mobile device 304 vibration.For example, can be utilized according to the sensitivity of API Calls The duration of different sound and sound.In some instances, the sound for being used to refer to have called up API Calls can be It cannot distinct sound selected to use in the other systems setting of mobile device 304.
According in some terms, can have to API Access log or similar message reference log offer with API Calls calling The entry of pass.In some instances, it is visiting can to click indicator icon 324 by the user of mobile device 304 for API Access log It asks.In this regard, potential threat, investigation and sensitive or limited API Access can be alerted to the user of mobile device 304 in real time Associated details, and if necessary, take any corrective action.
Fig. 3 B illustrates the example of API Access log 350.API Access log 350 can be (only to be mentioned in mobile device 304 For API Access notify) display screen on visible notice log.For example, API Access log 350 may include instruction and API Access The notice header column 352 of the related Apply Names of event, level of sensitivity, details, time etc. column.API Access log item Mesh 355a-g identifies the details of API Access event, and can be sorted in different ways, such as based on appearance Time.
The user of mobile device 304 can check API Access log 350, such as passing through indicator lamp 322 and/or referring to When showing that device icon 324 alerts uncommon or undesirable API instruction.But user can he more easily when look back API Access journal entries 355a-g.It is important to note that, high-level (for example, red indicator) API Access journal entries are different Surely indicate it is incumbent why not correct API Access.On the contrary, can simply be alerted simultaneously according to the API notification technique of some aspects Notify user, specific API Calls or event are occurring.For example, user can completely it is expected for and financial application The API Access journal entries 355d of the related API Calls of associated personal information and for associated with map application The related API Calls of location information API Access journal entries 355g.
User it can be desirable to some low level of access or middle level of access API Calls, such as API Access journal entries 355b,355e,355f.But the API Calls of other high level of access and middle level of access may cause attention.For example, as above Described in the example accessed when about object for appreciation car race game, user is likely to apply associated Personal Finance with car race game The details of information-related API Calls inquiry API Access journal entries 355a.
Alerted in addition, user may be instructed to device lamp 322 and/or indicator icon 324, and in order to with operating system library Using the details for installing the related API Calls inquiry API Access journal entries 355c of new icon on associated user's main screen. For example, the installation in order to drive the still not found application of user, certain operating system libraries can install on the main screen of user New icon.User be not necessarily to be construed as what for downloading the appearance of new opplication icon on the home screen or how to appear in On main screen or which is applied or such installation activity is responsible in which application.The user of mobile device 304 is accessible API Access log 350 and the details for looking back API Access journal entries 355c.Then user can make decision, API Calls and Whether result event is subjected to for a user, perhaps removes the application for carrying out API Calls or the license for removing application, To call specific API Calls, if possible.
Therefore, it can be accessed together with the sensitivity degree CommAPI of API Access detected and relevant information accesses Real-time instruction, the user of mobile device 304 is easily set sensitive or limited API Calls with current by movement Standby 304 applications executed are associated.In addition, in some embodiments, access water associated with sensitive or limited API Calls Flat or classification is fixed, therefore user cannot modify the level of sensitivity for giving specific API or API Calls.In this regard, example Such as, Malware application cannot attempt the setting parameter via user configuration source code, by high level access (for example, red refers to Show device) change into low-level access (for example, green indicator).
It further provides for using notification procedure using the related example A PI of notification technique with above-mentioned API.Example A PI is used Notification procedure can be used in conjunction with other processes and aspect of the disclosure.Although coming about the example provided in Fig. 1 to Fig. 3 B Description aspect, but API is without being limited thereto using notification procedure.
For example, can be detected by calculating equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304) The API Calls made by application.API Calls detected can be related with access data associated with calculating equipment.API is exhaled The level of sensitivity cried can be determined based on associated data.The level of sensitivity of API Calls can be determined as it is high, in or it is low. The instruction of API Calls based on identified level of sensitivity can be provided by API using notification procedure.
In some instances, API can activate the hardwired indicator in calculating equipment (for example, referring to using notification procedure Show device lamp 322) and/or calculate device display screen on indicator icon (for example, indicator icon 324), to provide API Calls Instruction.In some instances, it can star indicator icon, visited to such as provide API on the display screen for calculating equipment Ask that log, the API Access log include and the associated one or more API Access of one or more corresponding API Calls Entry.
Fig. 4 illustrates the process of the related instantiation procedure of installation of the application with installation comprising one or more API Calls Figure.It should be appreciated that the operation in process 400 can be used in conjunction with other aspects and process of the disclosure.Although extremely about Fig. 1 The example provided in Fig. 3 B describes the aspect of process 400, but process 400 is without being limited thereto.
In block 402, can handle request (for example, by electronic equipment 104,110 trustship of server website or With electronic equipment 104 have connection other electronic equipments 102,103,105), with answering for installation requirement access one or more API With.It should be appreciated that using may include any executable program code, such as, but not limited to various general programming languages or explanation The code that property programming language (such as Java, C++, JavaScript, Visual Basic etc.) is write.
In block 404, the level of sensitivity of one or more API can be determined.For example, equipment is (for example, electronic equipment 104, mobile device 204 or mobile device 304) it can determine that application to be installed requires in the one or more API that can be accessed Each API level of sensitivity.It was determined that request be installed in equipment can be with using required whole API Harmless API is associated, and some in required API can be associated with harmless API, and a part can be with limited API phase Association or required API in all can be associated with limited API.In some instances, it is limited (or sensitive) API Classification may include the shared contacts list of user, the position of user, the Email of user, user cookie, and/or Customer documentation or file stored in equipment or being accessed by equipment.
Other examples for being related to being limited (or sensitive) API category may include controlling with the entire screen to user equipment Associated API (for example, screen mode toggle), the microphone in access equipment, the loudspeaker in access equipment, in access equipment Camera is obtained about whether can detecte the information of face by forward direction camera in equipment or backward camera, obtain and distribute to The IP address of equipment, the incarnation (for example, photograph or portrait of user) for obtaining user, obtains the e-mail address for obtaining user The configuration of user's main screen in the browsing history or Web search history, acquisition equipment at family is taken (for example, about on the home screen Have what icon and icon information where), obtain user's installed application in equipment list, obtain user In equipment the frequency of use and usage history of installed application, obtain equipment in remaining amount of batteries, acquisition and other The related information of WiFi beacon near the detectable Bluetooth beacon or user equipment of user equipment as user (for example, work as Front position agency information), obtain about around equipment either with or without light information, obtain equipment temperature (for example, can indicate The information of placement of the equipment on user's body), the orientation that obtains the mobile speed of equipment, obtain equipment, to obtain equipment current The state for whether being used for call, the call history for obtaining equipment, the tinkle of bells for obtaining equipment and acquisition are with equipment in sky How long (pass through the on the move at least one of of the user of the activation of display, equipment input or equipment under not busy state It is a to measure) related information.
It should be appreciated that possibly through the application for API associated with the various sensors in equipment with license It potentially determines personally identifiable information, especially other information related with the user of equipment is being combined to use such acquisition Sensor information when.
In block 406, when the identified sensitivity water of at least one API in the API of one or more of requirements When flat associated with limited API category, it is desirable that pass through website delivering answering comprising one or more API Calls using security mechanism Code.It in some embodiments, may include security socket layer in security mechanism related with the delivering of code (SSL) agreement.In order to use in various embodiments, it is also considered that other for delivering code securely transmit technology.
In block 408, the application that require one or more API Calls can be mounted in equipment (for example, by from trustship The server 110 of website is downloaded).In some embodiments, mode application being mounted in equipment can be based on described one The identified level of sensitivity of each API of the API of a or multiple requirements.For example, working as the API of one or more of requirements In at least one API identified level of sensitivity it is associated with limited API category when, the peace that may require can be used The code of full application of the mechanism delivering comprising one or more of API.But in some instances, complete when include in application API required by portion be classified as low evil or it is harmless when, can deliver according to unsafe mode comprising one or more of It is required that API application code.
Referring to Fig. 5, the instantiation procedure 500 for being used to determine whether to allow API Calls is illustrated.It should be appreciated that can combine Operation in other processes and aspect use process 500 of the disclosure.Although being retouched about the example provided in Fig. 1 to Fig. 3 B The aspect of process 500 is stated, but process 500 is without being limited thereto.
In block 502, equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304) be can receive by institute The first API Calls that the application of installation is made.For example, API Calls module (for example, application program or device driver) can make The first API Calls are carried out with API, the API can specify one or more functions, data structure, agreement, format and/or reality Now reside in the feature of the API of the module (for example, operating system or application program) in equipment.
In some examples, the application that operation installation described in process 400 carries out the first API Calls can be used.But It is, using may be by other means (for example, being installed by flash memory driving, CD-ROM etc., or by swashing Resident code on electronic equipment 104 living installs (such as preassembled application)) it has been installed in equipment, or do not have to Process 400 is installed.It is any under such circumstances, equipment can handle received the made by the application installed One API Calls.
Determine block 504 in, can by equipment determine received first API Calls level of sensitivity.For example, equipment Licensing system it was determined that the first API Calls and remote application (cross over network 108 for example, residing on server 110 Application) shared device position.In some embodiments, the position of shared device is considered as limited API category.
In block 506, when the level of sensitivity of identified API Calls is not associated with limited API category, equipment Licensing system can permit API Calls.Therefore, in some embodiments, the licensing system of equipment can permit any harmless Whether API Calls, the author regardless of the application installed are confirmed as authorized author.But in other embodiments, Even if when the level of sensitivity of identified API Calls is not associated with limited API category (for example, for requiring access one The application of all installations of a or multiple API, it is desirable that author is authorized user), the licensing system of equipment also it was determined that Whether the author for the application installed is confirmed as authorized author.
When received first API Calls identified level of sensitivity it is associated with limited API category when, equipment Licensing system can determine whether the author of installed application is confirmed as authorized author (determining block 508).For example, can By determine certificate associated with the delivering of code during the installation of application whether be trusted entities it is all or by Trusted entities confirm to determine whether the author of installed application is confirmed as authorized author.In the various of process 500 In example and embodiment, trusted entities can be corporate entity (for example, Web search associated with server 110 provides Person, software developer etc.) or personal user's (for example, with electronic equipment 102,103 associated users).Above with reference to Fig. 2 The concept of trusted entities and application license is described in detail.
In some embodiments, certificate associated with the delivering of code can be security socket layer (SSL) certificate. For example, author's authorization of Xiang Yingyong can be based on having SSL certificate, and the SSL certificate is used for during the processing of installation application Binary code is delivered to equipment.It should be appreciated that being using the advantages of SSL technology, do not find such technology according to such as Mode with ssl protocol applies constraint to website delivery applications, and for example, can under some cases for being related to brokered transaction To use relevant delivery mechanism.
When the author for the application installed is confirmed as authorized author, can be allowed by the licensing system of equipment (block 506) has been identified as received first API Calls of institute associated with limited API.But when the author of application does not have When being confirmed as authorized author, can not allow or refuse received first API Calls access its associated AP I (block 510).
In block 512, the second API Calls made by the application installed be can receive.Therefore, when the application installed Author when being confirmed as authorized author, can permit received second API Calls access its associated AP I (block 514).Similarly, once the licensing system of equipment determines that the author of application is authorized author, so that it may certainly by licensing system The dynamic any subsequent API Calls for allowing to be made by the application.
Fig. 6 is the flow chart for illustrating example process 600, and the process 600 is used for through one or more by reliable Body, the certification of the author based on application determine whether to require the application of one or more API Calls to be mounted in equipment. It should be appreciated that the operation in other processes and aspect use process 600 of the disclosure can be combined.Although about Fig. 1 to figure The system of 3B describes process 600, but process 600 is without being limited thereto.
In block 602, equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304) can handle peace The request for filling application, it is required that the one or more API Calls made by application to be installed.For example, the user of equipment may Wish to start the downloading (for example, using 262a) from remote server to application.But for example, user not necessarily knows application Author be who or author authority.
Hence, it can be determined that the creation entity (block 604) of application.For example, equipment can come from remote server by receiving Instruction determine application creation entity.In addition, equipment can from trusted entities, (such as accredited Web search be mentioned by receiving Donor entity 252) instruction determine application creation entity.
In block 606, equipment it was determined that creation entity whether by one or more trusted entities (such as accredited web Search for supplier 252) certification.In some embodiments, one or more trusted entities are considered as by the users to trust of equipment. For example, equipment may include the list of trusted entities, including but not limited to Web search supplier, ISP, research and development of software Person, and other entities of the distribution of application can be promoted.
In some instances, determine the determination that whether is authenticated by one or more trusted entities of creation entity can based on The code of application is carried out by creation entity to deliver the received safety certificate of associated one or more trusted entities institutes.? In some embodiments, safety certificate is security socket layer (SSL) certificate.But, it is also considered that for providing safety certificate etc. Deng other technologies.
In addition, according in some terms, can by the trust that one or more trusted entities provide in example authentication processing It can be time barred.For example, determining whether creation entity may include determining by one by the certification of one or more trusted entities Or whether multiple trusted entities are more than validity period to the certification of creation entity.In some embodiments, the validity period of certification is 1 year;But in other embodiments, 30 days certification validity periods can be used for example.
Similarly, equipment can receive trust water associated with the first trusted entities in one or more trusted entities Flat assessment.Such as the creation entity trusted by the first trusted entities, level of trust assessment can be based on due to caused by applications Multiple security violations.In this regard, equipment can determine, if multiple security violations (and/or the type/seriousness violated) are Equipment (for example, correlation threshold in equipment setting) or user's (for example, when looking back dialogue screen) of equipment can not connect It receives, just removes the first trusted entities of the trusted entities as equipment.It should be appreciated that in some embodiments, trusting water Flat assessment is generated by neutral third party.
In block 608, when creating entity and being authenticated by least one trusted entities, can be allowed by equipment perhaps can be to wanting Ask the installation of the application of one or more API Calls.But according to some examples, if it is determined that it is required that one or more API is exhaled The application cried is not authenticated by any trusted entities, so that it may refuse the installation of application.
According to some aspects, transition trust techniques can be used to allow the installation in equipment to application.For example, can pass through Equipment receives remote server with the application of creation entity in relation to the request of (for example, using 264c or using 266).Show some In example, the request of remote server can be originated from third party (for example, the trusted entities of the equipment of not yet certification creation entity, but It may function as go-between).But in other examples, the request of remote server can be derived directly from creation entity, and Equipment (for example, connecting via SSL) can be sent in the way of safety.Request can identify that one or more API are exhaled At least one transition trusted entities of the creation entity of the API and authentication application for the requirement cried or applied.
At least one transition trusted entities (for example, ISP 254) can be certification and trust application (for example, answering The entity of entity is created with 264c), but is not identified as the trusted entities of equipment.For example, equipment not necessarily establishes With the trusted relationship of at least one transition trusted entities because the user of equipment may not realize that special entity (presence, Or in the case where no clear request, each application for not allowing the special entity authorization may be selected.
For example, if at least one transition trusted entities is identified as trusted entities by equipment, in certain implementations In mode, the process of the clear request of remote server is received by unnecessary (for example, not to the request of installation the case where Under, if ISP 254 is the trusted entities of equipment, the creation entity trusted by ISP 254 will be allowed 264c is applied in creation, as described in block 606).Therefore, if equipment knows that (for example, being ratified by user) identifies one or more At least one transition trusted entities of the creation entity of the API and authentication application of the requirement of a API Calls or application Clear request, then equipment will allow perhaps can install application by the transition trust techniques.
Fig. 7 conceptually illustrates the electronic system that some embodiments of subject technology are realized using it.Electronic system 700 can be server, computer, phone, PDA, tablet computer, have one or more processors be embedded or and its The television set of connection or common any electronic equipment.Such electronic system includes various types of computer-readable Jie The interface of matter and the computer-readable medium for various other types.Electronic system 700 includes bus 708, processing unit 712, system storage 704, read-only memory (ROM) 710, permanent storage appliance 702, input equipment interface 714, output equipment Interface 706 and network interface 716.
Bus 708 indicates to be communicatively coupled all system bus of multiple internal units of electronic system 700, outer jointly Enclose bus and chipset bus.For example, bus 708 communicably by processing unit 712 and ROM 710, system storage 704, And permanent storage appliance 702 is connected.
By these various memory cells, processing unit 712 retrieves the instruction and data to be processed to be executed, with Execute process disclosed in theme.In various embodiments, processing unit can be single processor or multi-core processor.
Static data and instruction needed for other modules of 710 storage processing unit 712 of ROM and electronic system.It is another Aspect, permanent storage appliance 702 are read-write memory equipments.The equipment is Nonvolatile memery unit, even if electronic system Also store instruction and data when 700 power-off.Some embodiments disclosed in theme using mass-memory unit (such as disk or CD and its corresponding disk drive) it is used as permanent storage appliance 702.
Using removable storage device, (such as floppy disk, flash memory and its corresponding disk drive other embodiments It is dynamic) it is used as permanent storage appliance 702.As permanent storage appliance 702, system storage 704 is read-write memory equipment.But Be with storage equipment 702 it is different, system storage 704 is volatile read-write memory, such as random access memory.System 704 storage processor of memory needs some in instruction and data at runtime.In some embodiments, theme is disclosed Process be stored in system storage 704, permanent storage appliance 702 or ROM710.For example, according to some of subject technology Embodiment, various memory cells may include the finger for operation related with application license and API Access notification technique It enables.By these various memory cells, processing unit 712 retrieves the instruction and data to be processed to be executed, to execute The process of some embodiments.
Bus 708 is also connected to input equipment interface 714 and output equipment interface 706.Input equipment interface 714 to use Family can the communication information and select electron system order.The input equipment packet being used together with input equipment interface 714 Include such as alphanumeric keyboard and indicating equipment (also referred to as " cursor control device ").Output equipment interface 706 is enabled for example electric The display for the image that subsystem 700 generates.The output equipment being used together with output equipment interface 706 include for example printer and Display apparatus, such as cathode-ray tube (CRT) or liquid crystal display (LCD).Some embodiments include doubling as input equipment With the equipment of output equipment, such as touch screen.
As shown in fig. 7, electronic system 700 is also coupled to network (not shown) by network interface 716 by bus 708.It is logical Such mode is crossed, computer can become a part of computer network, such as local area network (" LAN "), wide area network The network of (" WAN ") or Intranet or network, such as internet.It can disclose in conjunction with theme using electronic system 700 Any component or all components.
Above-mentioned function can be implemented in Fundamental Digital Circuit, in computer software, firmware or hardware.The technology One or more computer program products can be used to be implemented.Programmable processor and computer can be included in mobile device In or be encapsulated as mobile device.Process and logic flow can be by one or more programmable processors and can by one or more Program logic circuit executes.Universal computing device and dedicated computing equipment and storage equipment can pass through interconnection of telecommunication network.
Some embodiments include electronic building brick, and computer program instructions are such as stored in machine readable or computer can Read microprocessor in medium, storage and memory (alternatively referred to as computer readable storage medium, machine readable media or Machine readable storage medium).Some examples of such computer-readable medium include RAM, ROM, CD-ROM (CD-ROM), Recordable light compact disk (CD-R), solid state drive (CD-RW), read-only digital versatile disc are (for example, DVD-ROM, DVD-dual layer- ROM), various recordable/rewritable DVDs (for example, DVD-RAM, DVD-RW, DVD+RW etc.), flash memory are (for example, SD Card, mini SD card, miniature SD card etc.), magnetic or solid state hard disk driving, super disc density, any other light or magnetic medium, And floppy disk.Computer-readable medium, which can store, can be executed by least one processing unit and including for executing various operations The computer program of instruction set.The example of computer program or computer code includes, such as, by the machine generation of compiler generation Code, and the file including higher level code, electronic building brick or the micro process for using interpreter that are executed by computer Device.
For example, can store the instruction for being used to execute various operations in a memory cell, and counted in one or more Quilt in calculation machine program product (such as one or more modules of the computer program instructions encoded on a computer-readable medium) It realizes, for executing or controlling the operation of electronic system 700 by electronic system 700, and according to those skilled in the art's public affairs Any method known, the including but not limited to language (for example, SQL, dBase) of such as data-oriented, system language (for example, C, Objective-C, C++, compilation), schema languages (for example, Java and .NET) and applicational language (for example, PHP, Ruby, Perl, Python) computer language.
Instruction for executing various operations can also be implemented in the form of computer language, such as array language, face Language, assembler language, author language, command line interface language, compiler language, concurrent language, brace language, number in terms of According to stream language, data structure language, declarative language, secret language, extension language, fourth generation language, functional explanations, interaction It is pattern language, interpreted language, iteration language, the language based on list, small language, the language of logic-based, machine language, macro Language, metaprogramming language, more pattern language, numerical analysis, based on non-english language, class-based object-oriented language, Object-oriented language, offside rule language, procedural language, reflection language, rule-based language, script based on prototype Language, the language based on stack, synchronous language, grammer handle language, visual language, Wei Erte (wirth) language, embedded language Speech and the language based on XML.In addition, during the execution for the instruction to be executed by processor 712, it can be by various memories Unit is for storing temporary variable or other average informations.
Although the microprocessor or multi-core processor described above for referring mainly to execute software, some embodiments are logical It crosses one or more integrated circuits to be performed, such as specific integrated circuit (ASIC) or field programmable gate array (FPGA).? In some embodiments, such integrated circuit executes the instruction being stored on circuit itself.
As used in specification and claims of this application requirements, term " computer ", " server ", " processor " and " memory " all indicates electronic equipment or other technologies equipment.These terms do not include people or crowd.For illustrative purposes, Term " display " or " showing " indicate to show on an electronic device.As used in specification and claims of this application requirements , term " computer-readable medium " and " computer-readable medium " are strictly limited to store according to computer-readable form and be believed The tangible physical object of breath.These terms do not include any wireless signal, wired download signal and any other instantaneous letter Number.
In order to provide the interaction with user, the embodiment of subject content described in this specification can be implemented in computer On, the computer has display equipment from information to user (such as CRT (cathode-ray tube) or LCD (liquid crystal for showing Display) monitor) and user can from its to computer provide input keyboard and indicating equipment (such as mouse or track Ball).Other kinds of equipment can also be used to provide the interaction with user;For example, the feedback provided a user can be it is any The perceptible feedback of form, such as visual feedback, audio feedback or touch feedback;And it can receive and come from according to any form The input of user, including acoustics, voice or tactile input.In addition, computer can send document by the equipment used to user And the equipment used from user receives document, interacts with user;For example, by response to from the received request of web browser, Web browser on user client device sends webpage.
The embodiment of theme described in this specification can realize that the computing system includes aft-end assembly in computing systems (such as data server) including middleware component (such as application server) including front end assemblies (such as client calculates Machine), or be implemented in any combination of the rear end as one or more, middleware or front end assemblies, client calculates Machine has graphic user interface or web browser, and user can be handed over by the embodiment of itself and theme described in this specification Mutually.The component of system can be interconnected by any form or medium of digital data communications, such as communication network.Communication network shows Example includes local area network (" LAN ") and wide area network (" WAN "), internet (for example, internet), peer-to-peer network (for example, equity point To spot net).
Computing system may include client and server.Client and server is generally remote from each other, and generally passes through communication Network interaction.The relationship of client and server on corresponding computer by running and mutually with client-server The computer program of device relationship generates.In some embodiments, server is to client device transmission data (for example, HTML The page) (for example, in order to show data to the user interacted with client device and receive the purpose that user inputs from user). The data (for example, result of user's interaction) generated in client device can be received from client device at server.
It should be appreciated that any particular order or level of block are all the explanations of example approaches in the disclosed process.It should Understand, the particular order or level of block during being rearranged based on design preference, or executes the block of all diagrams.Have A little blocks may be performed simultaneously.For example, in some environments, multitask and parallel processing are advantageous.In addition, in above-described embodiment In the separation of various system components be not construed as requiring such separation in all embodiments, but should be understood as leading to Described program component and the system integration in single software product or can be often encapsulated in multiple software product.
It is noted earlier that those skilled in the art is enabled to practice various aspects described herein.Various in terms of these are repaired Change to those skilled in the art it is clear that and the General Principle limited herein can be applied to other aspects.Cause This, claim is not limited to aspect illustrated herein, and be to fit to the consistent full scope of language claims, In, unless illustrating in this way, being otherwise not intended to according to singular to the reference of element means " one and only one ", but " one or more ".Unless in addition illustrating, otherwise "some" expressions of term are one or more.Male's pronoun (such as he) include Women and neutrality (such as his and it), vice versa.If any, title and subtitle are intended merely to convenient and make With being not intended to limit theme and disclose.
As used herein, term website may include any aspect of website, including one or more webpages, for holding in the palm One or more servers etc. of pipe or storage web related content.Therefore, term website can be with term webpage and server It is used interchangeably.
Predicate verb " being configured as ", " being operable as ", " being programmed to " do not imply that any specific tangible or nothing of theme The modification of shape, and be intended to be used interchangeably.For example, being configured as the processor of monitoring and control operation or component can also anticipate Taste be programmed to monitor and control operation processor or be operable as be monitored and controlled operation processor.Equally, quilt The processor for being configured to execute code may be considered that the processor for being programmed to execute code or be operable as executing code Processor.
As used herein, a series of phrase after items (separating any one item with term "or") is " wherein At least one " list is modified to an entirety, rather than each single item of modification list.Phrase " wherein at least one " does not require Select at least one;On the contrary, the phrase allows to include: any group of at least one of any one of item, and/or item In at least one of which, and/or item in conjunction it is each in at least one of meaning.As an example, phrase is " in A, B or C At least one of which " can refer to: only A, only B or only C;Or any combination of A, B and C.
The phrase of such as " aspect ", which does not imply that, such aspect to be the theme technology institute is necessary or such aspect is suitable for All configurations of subject technology.Disclosure related with aspect is applicable to all configurations, or one or more configurations.Such as it is square Phrase as face can indicate one or more aspects, and vice versa.Phrase as such as " configuration " does not indicate such It is configured to subject technology institute necessity or such configuration is suitable for all configurations of subject technology.The related disclosure with configuration It is applicable to all configurations, or one or more configurations.One or more configurations can be referred to by such as configuring such phrase, instead ?.
Word " example " expression " as example or illustrating " is used herein.It is described herein as any aspect of " example " Or design is all not necessarily considered as preferred or advantageous relative to other aspects or design.

Claims (14)

1. a method of computer implementation, which comprises
Receive the first Application Programming Interface API Calls made by the application installed in equipment;
Determine received first API Calls level of sensitivity;
When received first API Calls identified level of sensitivity it is associated with limited API category when, pass through determine use During the process for installing the application by binary code be delivered to the equipment security socket layer SSL certificate whether It is all or confirmed by trusted entities for trusted entities, to determine whether the author of installed application is authorized work Person;And
When the author for determining installed application is authorized author, received first API Calls of institute is allowed to access Its associated AP I.
2. according to the method described in claim 1, further comprising:
When the author of the application is not determined as authorized author, received first API Calls of refusal institute are visited Ask its associated AP I.
3. according to the method described in claim 1, further comprising:
Receive the second API Calls made by the application installed;
When the author for determining installed application is authorized author, received second API Calls of institute is allowed to access Its associated AP I.
4. a kind of system for authorizing using license, the system comprises:
One or more processors;And
Memory including instruction, described instruction by one or more of processors when being executed, so that one or more A processor:
Receive the first Application Programming Interface API Calls made by the application installed;
Determine received first API Calls level of sensitivity;
When received first API Calls identified level of sensitivity it is associated with limited API category when, pass through determine use During the process for installing the application by binary code be delivered to equipment security socket layer SSL certificate whether be by Reliable body is all or is confirmed by trusted entities, to determine whether the author of installed application is authorized author; And
When the author for determining installed application is authorized author, received first API Calls of institute is allowed to access Its associated AP I.
5. system according to claim 4, wherein described instruction by one or more of processors when being executed, into one Step is so that one or more of processors:
When the author of the application is not determined as authorized author, received first API Calls of refusal institute are visited Ask its associated AP I.
6. system according to claim 4, wherein described instruction by one or more of processors when being executed, into one Step is so that one or more of processors:
Receive the second API Calls made by the application installed;
When the author for determining installed application is authorized author, received second API Calls of institute is allowed to access Its associated AP I.
7. a kind of system for authorizing using license, the system comprises:
One or more processors;And
Memory including instruction, described instruction by one or more of processors when being executed, so that one or more A processor:
The API Calls that detection is made by application, the API Calls are for accessing data associated with equipment is calculated;
The level of sensitivity of the API Calls is determined based on the associated data;And
Based on identified level of sensitivity, the instruction of the API Calls is provided, providing the instruction includes activating the calculating The indicator icon on hardwired indicator or the activation display screen for calculating equipment in equipment.
8. system according to claim 7, wherein described instruction when being executed by one or more of processors so that One or more of processors determine the level of sensitivity of the API Calls based on the associated data, into one Step so that one or more of processors determine the API Calls the level of sensitivity whether be it is high, in or it is low in At least one.
9. system according to claim 7, wherein described instruction by one or more of processors when being executed, into one Step is so that one or more of processors:
It detects whether to have been started up the indicator icon;And
In response to starting the indicator icon, API Access log is provided, the API Access log includes and one or more The associated one or more API Access entries of corresponding API Calls.
10. system according to claim 7, wherein described instruction makes when being executed by one or more of processors It obtains one or more of processors and provides the instruction of the API Calls based on identified level of sensitivity, further such that One or more of processors provide entry to API Access log.
11. a kind of non-transitory machine readable media, including storage instruction therein, described instruction when executed by a machine, make The machine performing operations are obtained, the machine readable media includes:
For detecting the instruction for the API Calls made by application, the API Calls are for accessing number associated with equipment is calculated According to;
For determining the instruction of the level of sensitivity of the API Calls based on the associated data;And
For providing the instruction of the instruction of the API Calls based on identified level of sensitivity, providing described instruction includes swashing Indicator icon on the hardwired indicator calculated in equipment living or the activation display screen for calculating equipment.
12. non-transitory machine readable media according to claim 11, wherein for being based on the associated data The instruction for determining the level of sensitivity of the API Calls includes the level of sensitivity for determining the API Calls Whether be it is high, in or at least one of low instruction.
13. non-transitory machine readable media according to claim 11, further comprises:
For detecting whether having been started up the instruction of the indicator icon;And
In response to starting the indicator icon, for providing the instruction of API Access log, the API Access log include with One or more associated one or more API Access entries of corresponding API Calls.
14. non-transitory machine readable media according to claim 11, wherein for based on identified sensitivity water Flat, the instruction for providing the instruction of the API Calls includes for providing the instruction of entry to API Access log.
CN201480071883.3A 2013-12-31 2014-12-23 Using the notice of license Active CN105874462B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US14/145,644 2013-12-31
US14/145,644 US9256755B2 (en) 2013-12-31 2013-12-31 Notification of application permissions
PCT/US2014/072274 WO2015103058A1 (en) 2013-12-31 2014-12-23 Notification of application permissions

Publications (2)

Publication Number Publication Date
CN105874462A CN105874462A (en) 2016-08-17
CN105874462B true CN105874462B (en) 2019-06-14

Family

ID=53482122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480071883.3A Active CN105874462B (en) 2013-12-31 2014-12-23 Using the notice of license

Country Status (6)

Country Link
US (2) US9256755B2 (en)
EP (2) EP3090374B1 (en)
CN (1) CN105874462B (en)
AU (1) AU2014374041B2 (en)
CA (1) CA2931640C (en)
WO (1) WO2015103058A1 (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9225715B2 (en) * 2013-11-14 2015-12-29 Globalfoundries U.S. 2 Llc Securely associating an application with a well-known entity
US9112834B1 (en) * 2014-01-02 2015-08-18 Juniper Networks, Inc. Protecting sensitive web transactions using a communication channel associated with a user
US9473883B2 (en) 2014-05-31 2016-10-18 Apple Inc. Location service authorization and indication
US20160275000A1 (en) * 2015-03-17 2016-09-22 Wegilant Net Solutions Pvt. Ltd. System and method of automated application screen flow generation for detecting aberration in mobile application
US9591443B2 (en) * 2015-06-01 2017-03-07 Apple Inc. Location service management
US9591000B2 (en) * 2015-06-19 2017-03-07 Oracle International Corporation Methods, systems, and computer readable media for authorization frameworks for web-based applications
JP6493086B2 (en) * 2015-08-24 2019-04-03 富士通コネクテッドテクノロジーズ株式会社 Information processing apparatus and information processing program
US20180260864A1 (en) * 2017-03-07 2018-09-13 Facebook, Inc. Merchant-facing Queue Interface
US11637844B2 (en) * 2017-09-28 2023-04-25 Oracle International Corporation Cloud-based threat detection
US11379565B2 (en) * 2017-10-02 2022-07-05 Microsoft Technology Licensing, Llc Identifying and consenting to permissions for workflow and code execution
KR102477043B1 (en) 2017-11-08 2022-12-14 삼성전자주식회사 Electronic device and control method thereof
US20190394239A1 (en) * 2018-06-20 2019-12-26 GM Global Technology Operations LLC Application based policy management used with a client and a service provider
US11171929B2 (en) * 2018-12-17 2021-11-09 International Business Machines Corporation Applying differential security to API message payload data elements
US20220129542A1 (en) * 2019-03-05 2022-04-28 Intel Corporation Deterministic trusted execution container through managed runtime language metadata
US11190512B2 (en) 2019-04-17 2021-11-30 Microsoft Technology Licensing, Llc Integrity attestation of attestation component
US11392467B2 (en) 2019-04-17 2022-07-19 Microsoft Technology Licensing, Llc Failover between decentralized identity stores
US11429743B2 (en) 2019-04-29 2022-08-30 Microsoft Technology Licensing, Llc Localization of DID-related claims and data
US11381567B2 (en) 2019-04-29 2022-07-05 Microsoft Technology Licensing, Llc Execution of an application within a scope of user-granted permission
US11411959B2 (en) * 2019-05-03 2022-08-09 Microsoft Technology Licensing, Llc Execution of application in a container within a scope of user-granted permission
US11222137B2 (en) 2019-05-03 2022-01-11 Microsoft Technology Licensing, Llc Storing and executing an application in a user's personal storage with user granted permission
US20210304143A1 (en) * 2020-03-31 2021-09-30 Atlassian Pty Ltd. Data classification in application programming interfaces at attribute level
US11755776B2 (en) * 2020-11-20 2023-09-12 Paypal, Inc. Detecting leakage of personal information in computing code configurations
JP2022120689A (en) * 2021-02-05 2022-08-18 トヨタ自動車株式会社 On-vehicle information processing device, information processing method, and program
WO2022266549A1 (en) * 2021-06-18 2022-12-22 ALTR Solutions, Inc. Security driver external functions

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE20217854U1 (en) * 2002-10-07 2003-02-06 Benkhardt Axel Signaling device, data processing device, detection means and associated system
CN102906755A (en) * 2009-12-17 2013-01-30 桑迪士克科技股份有限公司 Content control method using certificate revocation lists

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0212314D0 (en) 2002-05-28 2002-07-10 Symbian Ltd Secure mobile wireless device
GB0322876D0 (en) 2003-09-30 2003-10-29 British Telecomm Method and system for authenticating a user
US8156488B2 (en) 2004-10-20 2012-04-10 Nokia Corporation Terminal, method and computer program product for validating a software application
US7797545B2 (en) * 2005-09-29 2010-09-14 Research In Motion Limited System and method for registering entities for code signing services
US7730539B2 (en) * 2005-10-21 2010-06-01 Microsoft Corporation Authenticating third party products via a secure extensibility model
US8321949B1 (en) 2008-08-29 2012-11-27 Adobe Systems Incorporated Managing software run in a computing system
US9367680B2 (en) 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US20100242097A1 (en) 2009-03-20 2010-09-23 Wavemarket, Inc. System and method for managing application program access to a protected resource residing on a mobile device
US8788809B2 (en) * 2009-04-27 2014-07-22 Qualcomm Incorporated Method and apparatus to create a secure web-browsing environment with privilege signing
US20120222083A1 (en) * 2011-02-28 2012-08-30 Nokia Corporation Method and apparatus for enforcing data privacy
WO2013032422A1 (en) * 2011-08-26 2013-03-07 Hewlett-Packard Development Company, L.P. Data leak prevention systems and methods
US9009856B2 (en) 2011-12-16 2015-04-14 Dell Products L.P. Protected application programming interfaces
US8844036B2 (en) 2012-03-02 2014-09-23 Sri International Method and system for application-based policy monitoring and enforcement on a mobile device
US9317689B2 (en) 2012-06-15 2016-04-19 Visa International Service Association Method and apparatus for secure application execution
CN103514000B (en) * 2012-06-26 2015-09-16 腾讯科技(深圳)有限公司 Browser plug-in installation method and device
GB2507596B (en) 2012-10-30 2014-09-17 Barclays Bank Plc Secure computing device and method
US9202057B2 (en) 2013-08-30 2015-12-01 Symantec Corporation Systems and methods for identifying private keys that have been compromised
US9280679B2 (en) 2013-12-31 2016-03-08 Google Inc. Tiered application permissions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE20217854U1 (en) * 2002-10-07 2003-02-06 Benkhardt Axel Signaling device, data processing device, detection means and associated system
CN102906755A (en) * 2009-12-17 2013-01-30 桑迪士克科技股份有限公司 Content control method using certificate revocation lists

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Geocoding A User"s Location Using Javascript"s GeoLocation API;Ben Nadel;<URL:https://web.archive.org/web/20130610180921/https://www.bennadel.com/blog/2023-geocoding-a-user-s-location-using-javascript-s-geolocation-api.htm>;20101001;全文
On Lightweight Mobile Phone Application Certification;William Enck,et al;<http://web.archive.org/web/20111027083518/http://www.enck.org/pubs/ccs09-enck/pdf>;20111027;全文
Taking the Mystery Out of Sensing Devices in the Home;Jaeyeon Jung, et al;<Intel Labs Seattle, University of Washington>;20100518;第4页第2栏第11-46行
The Effectiveness of Application Permissions;Adrienne Porter Felt,et al;《http://web.archive.org/web/*http://www.cs.berkeley.edu/~daw/papers/perms-wabapps11/pdf》;20110514;全文
What You See is What They Get Protecting users from unwanted use of microphones, cameras, and other sensors;Jon Howell,et al;《URL:http://web.archive.org/web/20100613162614/http://w2spconf.com/2010/papers/p05.pdf》;20100613;全文

Also Published As

Publication number Publication date
EP3090374A4 (en) 2017-07-26
AU2014374041A1 (en) 2016-06-09
US20150186664A1 (en) 2015-07-02
WO2015103058A1 (en) 2015-07-09
AU2014374041B2 (en) 2017-03-30
CA2931640C (en) 2019-09-17
EP3090374B1 (en) 2018-08-22
US9256755B2 (en) 2016-02-09
CN105874462A (en) 2016-08-17
EP3404571A1 (en) 2018-11-21
EP3090374A1 (en) 2016-11-09
CA2931640A1 (en) 2015-07-09
US9990508B1 (en) 2018-06-05

Similar Documents

Publication Publication Date Title
CN105874462B (en) Using the notice of license
US10019592B2 (en) Tiered application permissions
US10257199B2 (en) Online privacy management system with enhanced automatic information detection
KR101951973B1 (en) Resource access authorization
Slupska et al. Threat modeling intimate partner violence: Tech abuse as a cybersecurity challenge in the internet of things
JP2005317022A (en) Account creation via mobile device
CN114143097A (en) Delegated authorization method and system for isolated collections
CN109952752B (en) System and method for conditional authorization for isolated collections
CN107533618A (en) Protect data from unwarranted access
US9235693B2 (en) System and methods thereof for tracking and preventing execution of restricted applications
US20200387629A1 (en) Method and system for providing user notification when personal information is used in voice control device
US20230084001A1 (en) Video playing method, apparatus and device in map, computer-readable storage medium and computer program product
CN112235303A (en) Account logout method and device and computer equipment
US9838871B2 (en) Social access control system
WO2016140929A1 (en) Disposition actions in digital asset management based on trigger events
Valero et al. Analysis of security and data control in smart personal assistants from the user’s perspective
CA2906517A1 (en) Online privacy management
CN111598544B (en) Method and device for processing information
KR102413355B1 (en) Method of providing security service to devices and server performing the same
Butow et al. Communicating About Security
Valero Amores et al. Analysis of security and data control in smart personal assistants from the user’s perspective
IE20190191A1 (en) Digital user consent preferences and control
CN113495754A (en) System and method for detecting website content theft

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: American California

Applicant after: Google limited liability company

Address before: American California

Applicant before: Google Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant